Merge branch 'nixos-unstable' of https://github.com/NixOS/nixpkgs

8 files changed, 545 insertions, 30 deletions

diff --git a/nixpkgs/pkgs/test/cc-wrapper/default.nix b/nixpkgs/pkgs/test/cc-wrapper/default.nix
index 43e8e7a21426..8809030989e6 100644
--- a/nixpkgs/pkgs/test/cc-wrapper/default.nix
+++ b/nixpkgs/pkgs/test/cc-wrapper/default.nix
@@ -9,25 +9,29 @@ let
   );
   staticLibc = lib.optionalString (stdenv.hostPlatform.libc == "glibc") "-L ${glibc.static}/lib";
   emulator = stdenv.hostPlatform.emulator buildPackages;
+  libcxxStdenvSuffix = lib.optionalString (stdenv.cc.libcxx != null) "-libcxx";
 in stdenv.mkDerivation {
-  name = "cc-wrapper-test";
+  pname = "cc-wrapper-test-${stdenv.cc.cc.pname}${libcxxStdenvSuffix}";
+  version = stdenv.cc.version;
 
   buildCommand = ''
+    echo "Testing: ${stdenv.cc.name}" >&2
+    echo "With libc: ${stdenv.cc.libc.name}" >&2
     set -o pipefail
 
     NIX_DEBUG=1 $CC -v
     NIX_DEBUG=1 $CXX -v
 
-    printf "checking whether compiler builds valid C binaries... " >&2
+    echo "checking whether compiler builds valid C binaries... " >&2
     $CC -o cc-check ${./cc-main.c}
     ${emulator} ./cc-check
 
-    printf "checking whether compiler builds valid C++ binaries... " >&2
+    echo "checking whether compiler builds valid C++ binaries... " >&2
     $CXX -o cxx-check ${./cxx-main.cc}
     ${emulator} ./cxx-check
 
     ${lib.optionalString (stdenv.isDarwin && stdenv.cc.isClang) ''
-      printf "checking whether compiler can build with CoreFoundation.framework... " >&2
+      echo "checking whether compiler can build with CoreFoundation.framework... " >&2
       mkdir -p foo/lib
       $CC -framework CoreFoundation -o core-foundation-check ${./core-foundation-main.c}
       ${emulator} ./core-foundation-check
@@ -35,11 +39,11 @@ in stdenv.mkDerivation {
 
 
     ${lib.optionalString (!stdenv.isDarwin) ''
-      printf "checking whether compiler builds valid static C binaries... " >&2
+      echo "checking whether compiler builds valid static C binaries... " >&2
       $CC ${staticLibc} -static -o cc-static ${./cc-main.c}
       ${emulator} ./cc-static
       ${lib.optionalString (stdenv.cc.isGNU && lib.versionAtLeast (lib.getVersion stdenv.cc.name) "8.0.0") ''
-        printf "checking whether compiler builds valid static pie C binaries... " >&2
+        echo "checking whether compiler builds valid static pie C binaries... " >&2
         $CC ${staticLibc} -static-pie -o cc-static-pie ${./cc-main.c}
         ${emulator} ./cc-static-pie
       ''}
@@ -48,7 +52,7 @@ in stdenv.mkDerivation {
     ${# See: https://github.com/llvm/llvm-project/commit/ed1d07282cc9d8e4c25d585e03e5c8a1b6f63a74
       # `gcc` does not support this so we gate the test on `clang`
       lib.optionalString stdenv.cc.isClang ''
-        printf "checking whether cc-wrapper accepts -- followed by positional (file) args..." >&2
+        echo "checking whether cc-wrapper accepts -- followed by positional (file) args..." >&2
         mkdir -p positional
 
         # Make sure `--` is not parsed as a "non flag arg"; we should get an
@@ -66,13 +70,13 @@ in stdenv.mkDerivation {
         ${emulator} ./positional/main
     ''}
 
-    printf "checking whether compiler uses NIX_CFLAGS_COMPILE... " >&2
+    echo "checking whether compiler uses NIX_CFLAGS_COMPILE... " >&2
     mkdir -p foo/include
     cp ${./foo.c} foo/include/foo.h
     NIX_CFLAGS_COMPILE="-Ifoo/include -DVALUE=42" $CC -o cflags-check ${./cflags-main.c}
     ${emulator} ./cflags-check
 
-    printf "checking whether compiler uses NIX_LDFLAGS... " >&2
+    echo "checking whether compiler uses NIX_LDFLAGS... " >&2
     mkdir -p foo/lib
     $CC -shared \
       ${lib.optionalString stdenv.isDarwin "-Wl,-install_name,@rpath/libfoo.dylib"} \
@@ -83,7 +87,7 @@ in stdenv.mkDerivation {
     NIX_LDFLAGS="-L$NIX_BUILD_TOP/foo/lib -rpath $NIX_BUILD_TOP/foo/lib" $CC -lfoo -o ldflags-check ${./ldflags-main.c}
     ${emulator} ./ldflags-check
 
-    printf "Check whether -nostdinc and -nostdinc++ is handled correctly" >&2
+    echo "Check whether -nostdinc and -nostdinc++ is handled correctly" >&2
     mkdir -p std-include
     cp ${./stdio.h} std-include/stdio.h
     NIX_DEBUG=1 $CC -I std-include -nostdinc -o nostdinc-main ${./nostdinc-main.c}
@@ -92,7 +96,7 @@ in stdenv.mkDerivation {
     ${emulator} ./nostdinc-main++
 
     ${lib.optionalString sanitizersWorking ''
-      printf "checking whether sanitizers are fully functional... ">&2
+      echo "checking whether sanitizers are fully functional... ">&2
       $CC -o sanitizers -fsanitize=address,undefined ${./sanitizers.c}
       ASAN_OPTIONS=use_sigaltstack=0 ${emulator} ./sanitizers
     ''}
diff --git a/nixpkgs/pkgs/test/cc-wrapper/fortify1-example.c b/nixpkgs/pkgs/test/cc-wrapper/fortify1-example.c
new file mode 100644
index 000000000000..48b9c268e728
--- /dev/null
+++ b/nixpkgs/pkgs/test/cc-wrapper/fortify1-example.c
@@ -0,0 +1,16 @@
+/* an example that should be protected by FORTIFY_SOURCE=1 */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+
+int main(int argc, char *argv[]) {
+    /* allocate on the heap so we're likely to get an
+     * over-allocation and can be more sure that a
+     * failure is because of fortify protection rather
+     * than a genuine segfault */
+    char* buffer = malloc(sizeof(char) * 7);
+    strcpy(buffer, argv[1]);
+    puts(buffer);
+    return 0;
+}
diff --git a/nixpkgs/pkgs/test/cc-wrapper/fortify2-example.c b/nixpkgs/pkgs/test/cc-wrapper/fortify2-example.c
new file mode 100644
index 000000000000..dfb5a8e87294
--- /dev/null
+++ b/nixpkgs/pkgs/test/cc-wrapper/fortify2-example.c
@@ -0,0 +1,16 @@
+/* an example that should be protected by FORTIFY_SOURCE=2 but
+ * not FORTIFY_SOURCE=1 */
+#include <stdio.h>
+#include <string.h>
+
+struct buffer_with_pad {
+    char buffer[7];
+    char pad[25];
+};
+
+int main(int argc, char *argv[]) {
+    struct buffer_with_pad b;
+    strcpy(b.buffer, argv[1]);
+    puts(b.buffer);
+    return 0;
+}
diff --git a/nixpkgs/pkgs/test/cc-wrapper/fortify3-example.c b/nixpkgs/pkgs/test/cc-wrapper/fortify3-example.c
new file mode 100644
index 000000000000..9a0a5f4792c3
--- /dev/null
+++ b/nixpkgs/pkgs/test/cc-wrapper/fortify3-example.c
@@ -0,0 +1,13 @@
+/* an example that should be protected by FORTIFY_SOURCE=3 but
+ * not FORTIFY_SOURCE=2 */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+
+int main(int argc, char *argv[]) {
+    char* buffer = malloc(atoi(argv[2]));
+    strcpy(buffer, argv[1]);
+    puts(buffer);
+    return 0;
+}
diff --git a/nixpkgs/pkgs/test/cc-wrapper/hardening.nix b/nixpkgs/pkgs/test/cc-wrapper/hardening.nix
new file mode 100644
index 000000000000..41ddaefdfea8
--- /dev/null
+++ b/nixpkgs/pkgs/test/cc-wrapper/hardening.nix
@@ -0,0 +1,396 @@
+{ lib
+, stdenv
+, runCommand
+, runCommandWith
+, runCommandCC
+, debian-devscripts
+}:
+
+let
+  # writeCBin from trivial-builders won't let us choose
+  # our own stdenv
+  writeCBinWithStdenv = codePath: stdenv': env: runCommandWith {
+    name = "test-bin";
+    stdenv = stdenv';
+    derivationArgs = {
+      inherit codePath;
+      preferLocalBuild = true;
+      allowSubstitutes = false;
+    } // env;
+  } ''
+    [ -n "$preBuild" ] && eval "$preBuild"
+    n=$out/bin/test-bin
+    mkdir -p "$(dirname "$n")"
+    cp "$codePath" code.c
+    NIX_DEBUG=1 $CC -x c code.c -O1 $TEST_EXTRA_FLAGS -o "$n"
+  '';
+
+  f1exampleWithStdEnv = writeCBinWithStdenv ./fortify1-example.c;
+  f2exampleWithStdEnv = writeCBinWithStdenv ./fortify2-example.c;
+  f3exampleWithStdEnv = writeCBinWithStdenv ./fortify3-example.c;
+
+  stdenvUnsupport = additionalUnsupported: stdenv.override {
+    cc = stdenv.cc.override {
+      cc = (lib.extendDerivation true {
+        hardeningUnsupportedFlags = (stdenv.cc.cc.hardeningUnsupportedFlags or []) ++ additionalUnsupported;
+      } stdenv.cc.cc);
+    };
+    allowedRequisites = null;
+  };
+
+  checkTestBin = testBin: {
+    # can only test flags that are detectable by hardening-check
+    ignoreBindNow ? true,
+    ignoreFortify ? true,
+    ignorePie ? true,
+    ignoreRelRO ? true,
+    ignoreStackProtector ? true,
+    expectFailure ? false,
+  }: let
+    expectFailureClause = lib.optionalString expectFailure
+      " && echo 'ERROR: Expected hardening-check to fail, but it passed!' >&2 && exit 1";
+  in runCommandCC "check-test-bin" {
+    nativeBuildInputs = [ debian-devscripts ];
+    buildInputs = [ testBin ];
+    meta.platforms = lib.platforms.linux;  # ELF-reliant
+  } ''
+    hardening-check --nocfprotection \
+      ${lib.optionalString ignoreBindNow "--nobindnow"} \
+      ${lib.optionalString ignoreFortify "--nofortify"} \
+      ${lib.optionalString ignorePie "--nopie"} \
+      ${lib.optionalString ignoreRelRO "--norelro"} \
+      ${lib.optionalString ignoreStackProtector "--nostackprotector"} \
+      $(PATH=$HOST_PATH type -P test-bin) ${expectFailureClause}
+    touch $out
+  '';
+
+  nameDrvAfterAttrName = builtins.mapAttrs (name: drv:
+    drv.overrideAttrs (_: { name = "test-${name}"; })
+  );
+
+  # returning a specific exit code when aborting due to a fortify
+  # check isn't mandated. so it's better to just ensure that a
+  # nonzero exit code is returned when we go a single byte beyond
+  # the buffer, with the example programs being designed to be
+  # unlikely to genuinely segfault for such a small overflow.
+  fortifyExecTest = testBin: runCommand "exec-test" {
+    buildInputs = [
+      testBin
+    ];
+    meta.broken = !(stdenv.buildPlatform.canExecute stdenv.hostPlatform);
+  } ''
+    (
+      export PATH=$HOST_PATH
+      echo "Saturated buffer:" # check program isn't completly broken
+      test-bin 012345 7
+      echo "One byte too far:" # eighth byte being the null terminator
+      (! test-bin 0123456 7) || (echo 'Expected failure, but succeeded!' && exit 1)
+    )
+    echo "Expected behaviour observed"
+    touch $out
+  '';
+
+  brokenIf = cond: drv: if cond then drv.overrideAttrs (old: { meta = old.meta or {} // { broken = true; }; }) else drv;
+
+in nameDrvAfterAttrName ({
+  bindNowExplicitEnabled = brokenIf stdenv.hostPlatform.isStatic (checkTestBin (f2exampleWithStdEnv stdenv {
+    hardeningEnable = [ "bindnow" ];
+  }) {
+    ignoreBindNow = false;
+  });
+
+  # musl implementation undetectable by this means even if present
+  fortifyExplicitEnabled = brokenIf stdenv.hostPlatform.isMusl (checkTestBin (f2exampleWithStdEnv stdenv {
+    hardeningEnable = [ "fortify" ];
+  }) {
+    ignoreFortify = false;
+  });
+
+  fortify1ExplicitEnabledExecTest = fortifyExecTest (f1exampleWithStdEnv stdenv {
+    hardeningEnable = [ "fortify" ];
+  });
+
+  # musl implementation is effectively FORTIFY_SOURCE=1-only,
+  # clang-on-glibc also only appears to support FORTIFY_SOURCE=1 (!)
+  fortifyExplicitEnabledExecTest = brokenIf (
+    stdenv.hostPlatform.isMusl || (stdenv.cc.isClang && stdenv.hostPlatform.libc == "glibc")
+  ) (fortifyExecTest (f2exampleWithStdEnv stdenv {
+    hardeningEnable = [ "fortify" ];
+  }));
+
+  fortify3ExplicitEnabled = brokenIf (
+    stdenv.hostPlatform.isMusl || !stdenv.cc.isGNU || lib.versionOlder stdenv.cc.version "12"
+  ) (checkTestBin (f3exampleWithStdEnv stdenv {
+    hardeningEnable = [ "fortify3" ];
+  }) {
+    ignoreFortify = false;
+  });
+
+  # musl implementation is effectively FORTIFY_SOURCE=1-only
+  fortify3ExplicitEnabledExecTest = brokenIf (
+    stdenv.hostPlatform.isMusl || !stdenv.cc.isGNU || lib.versionOlder stdenv.cc.version "12"
+  ) (fortifyExecTest (f3exampleWithStdEnv stdenv {
+    hardeningEnable = [ "fortify3" ];
+  }));
+
+  pieExplicitEnabled = brokenIf stdenv.hostPlatform.isStatic (checkTestBin (f2exampleWithStdEnv stdenv {
+    hardeningEnable = [ "pie" ];
+  }) {
+    ignorePie = false;
+  });
+
+  relROExplicitEnabled = checkTestBin (f2exampleWithStdEnv stdenv {
+    hardeningEnable = [ "relro" ];
+  }) {
+    ignoreRelRO = false;
+  };
+
+  stackProtectorExplicitEnabled = brokenIf stdenv.hostPlatform.isStatic (checkTestBin (f2exampleWithStdEnv stdenv {
+    hardeningEnable = [ "stackprotector" ];
+  }) {
+    ignoreStackProtector = false;
+  });
+
+  bindNowExplicitDisabled = checkTestBin (f2exampleWithStdEnv stdenv {
+    hardeningDisable = [ "bindnow" ];
+  }) {
+    ignoreBindNow = false;
+    expectFailure = true;
+  };
+
+  fortifyExplicitDisabled = checkTestBin (f2exampleWithStdEnv stdenv {
+    hardeningDisable = [ "fortify" ];
+  }) {
+    ignoreFortify = false;
+    expectFailure = true;
+  };
+
+  fortify3ExplicitDisabled = checkTestBin (f3exampleWithStdEnv stdenv {
+    hardeningDisable = [ "fortify3" ];
+  }) {
+    ignoreFortify = false;
+    expectFailure = true;
+  };
+
+  fortifyExplicitDisabledDisablesFortify3 = checkTestBin (f3exampleWithStdEnv stdenv {
+    hardeningEnable = [ "fortify3" ];
+    hardeningDisable = [ "fortify" ];
+  }) {
+    ignoreFortify = false;
+    expectFailure = true;
+  };
+
+  fortify3ExplicitDisabledDoesntDisableFortify = checkTestBin (f2exampleWithStdEnv stdenv {
+    hardeningEnable = [ "fortify" ];
+    hardeningDisable = [ "fortify3" ];
+  }) {
+    ignoreFortify = false;
+  };
+
+  pieExplicitDisabled = brokenIf (
+    stdenv.hostPlatform.isMusl && stdenv.cc.isClang
+  ) (checkTestBin (f2exampleWithStdEnv stdenv {
+    hardeningDisable = [ "pie" ];
+  }) {
+    ignorePie = false;
+    expectFailure = true;
+  });
+
+  # can't force-disable ("partial"?) relro
+  relROExplicitDisabled = brokenIf true (checkTestBin (f2exampleWithStdEnv stdenv {
+    hardeningDisable = [ "pie" ];
+  }) {
+    ignoreRelRO = false;
+    expectFailure = true;
+  });
+
+  stackProtectorExplicitDisabled = checkTestBin (f2exampleWithStdEnv stdenv {
+    hardeningDisable = [ "stackprotector" ];
+  }) {
+    ignoreStackProtector = false;
+    expectFailure = true;
+  };
+
+  # most flags can't be "unsupported" by compiler alone and
+  # binutils doesn't have an accessible hardeningUnsupportedFlags
+  # mechanism, so can only test a couple of flags through altered
+  # stdenv trickery
+
+  fortifyStdenvUnsupp = checkTestBin (f2exampleWithStdEnv (stdenvUnsupport ["fortify"]) {
+    hardeningEnable = [ "fortify" ];
+  }) {
+    ignoreFortify = false;
+    expectFailure = true;
+  };
+
+  fortify3StdenvUnsupp = checkTestBin (f3exampleWithStdEnv (stdenvUnsupport ["fortify3"]) {
+    hardeningEnable = [ "fortify3" ];
+  }) {
+    ignoreFortify = false;
+    expectFailure = true;
+  };
+
+  fortifyStdenvUnsuppUnsupportsFortify3 = checkTestBin (f3exampleWithStdEnv (stdenvUnsupport ["fortify"]) {
+    hardeningEnable = [ "fortify3" ];
+  }) {
+    ignoreFortify = false;
+    expectFailure = true;
+  };
+
+  fortify3StdenvUnsuppDoesntUnsuppFortify = brokenIf stdenv.hostPlatform.isMusl (checkTestBin (f2exampleWithStdEnv (stdenvUnsupport ["fortify3"]) {
+    hardeningEnable = [ "fortify" ];
+  }) {
+    ignoreFortify = false;
+  });
+
+  fortify3StdenvUnsuppDoesntUnsuppFortifyExecTest = fortifyExecTest (f2exampleWithStdEnv (stdenvUnsupport ["fortify3"]) {
+    hardeningEnable = [ "fortify" ];
+  });
+
+  stackProtectorStdenvUnsupp = checkTestBin (f2exampleWithStdEnv (stdenvUnsupport ["stackprotector"]) {
+    hardeningEnable = [ "stackprotector" ];
+  }) {
+    ignoreStackProtector = false;
+    expectFailure = true;
+  };
+
+  # NIX_HARDENING_ENABLE set in the shell overrides hardeningDisable
+  # and hardeningEnable
+
+  stackProtectorReenabledEnv = checkTestBin (f2exampleWithStdEnv stdenv {
+    hardeningDisable = [ "stackprotector" ];
+    preBuild = ''
+      export NIX_HARDENING_ENABLE="stackprotector"
+    '';
+  }) {
+    ignoreStackProtector = false;
+  };
+
+  stackProtectorReenabledFromAllEnv = checkTestBin (f2exampleWithStdEnv stdenv {
+    hardeningDisable = [ "all" ];
+    preBuild = ''
+      export NIX_HARDENING_ENABLE="stackprotector"
+    '';
+  }) {
+    ignoreStackProtector = false;
+  };
+
+  stackProtectorRedisabledEnv = checkTestBin (f2exampleWithStdEnv stdenv {
+    hardeningEnable = [ "stackprotector" ];
+    preBuild = ''
+      export NIX_HARDENING_ENABLE=""
+    '';
+  }) {
+    ignoreStackProtector = false;
+    expectFailure = true;
+  };
+
+  fortify3EnabledEnvEnablesFortify = brokenIf stdenv.hostPlatform.isMusl (checkTestBin (f2exampleWithStdEnv stdenv {
+    hardeningDisable = [ "fortify" "fortify3" ];
+    preBuild = ''
+      export NIX_HARDENING_ENABLE="fortify3"
+    '';
+  }) {
+    ignoreFortify = false;
+  });
+
+  fortify3EnabledEnvEnablesFortifyExecTest = fortifyExecTest (f2exampleWithStdEnv stdenv {
+    hardeningDisable = [ "fortify" "fortify3" ];
+    preBuild = ''
+      export NIX_HARDENING_ENABLE="fortify3"
+    '';
+  });
+
+  fortifyEnabledEnvDoesntEnableFortify3 = checkTestBin (f3exampleWithStdEnv stdenv {
+    hardeningDisable = [ "fortify" "fortify3" ];
+    preBuild = ''
+      export NIX_HARDENING_ENABLE="fortify"
+    '';
+  }) {
+    ignoreFortify = false;
+    expectFailure = true;
+  };
+
+  # NIX_HARDENING_ENABLE can't enable an unsupported feature
+
+  stackProtectorUnsupportedEnabledEnv = checkTestBin (f2exampleWithStdEnv (stdenvUnsupport ["stackprotector"]) {
+    preBuild = ''
+      export NIX_HARDENING_ENABLE="stackprotector"
+    '';
+  }) {
+    ignoreStackProtector = false;
+    expectFailure = true;
+  };
+
+  # undetectable by this means on static even if present
+  fortify1ExplicitEnabledCmdlineDisabled = brokenIf stdenv.hostPlatform.isStatic (checkTestBin (f1exampleWithStdEnv stdenv {
+    hardeningEnable = [ "fortify" ];
+    preBuild = ''
+      export TEST_EXTRA_FLAGS='-D_FORTIFY_SOURCE=0'
+    '';
+  }) {
+    ignoreFortify = false;
+    expectFailure = true;
+  });
+
+  # musl implementation undetectable by this means even if present
+  fortify1ExplicitDisabledCmdlineEnabled = brokenIf (
+    stdenv.hostPlatform.isMusl || stdenv.hostPlatform.isStatic
+  ) (checkTestBin (f1exampleWithStdEnv stdenv {
+    hardeningDisable = [ "fortify" ];
+    preBuild = ''
+      export TEST_EXTRA_FLAGS='-D_FORTIFY_SOURCE=1'
+    '';
+  }) {
+    ignoreFortify = false;
+  });
+
+  fortify1ExplicitDisabledCmdlineEnabledExecTest = fortifyExecTest (f1exampleWithStdEnv stdenv {
+    hardeningDisable = [ "fortify" ];
+    preBuild = ''
+      export TEST_EXTRA_FLAGS='-D_FORTIFY_SOURCE=1'
+    '';
+  });
+
+  fortify1ExplicitEnabledCmdlineDisabledNoWarn = f1exampleWithStdEnv stdenv {
+    hardeningEnable = [ "fortify" ];
+    preBuild = ''
+      export TEST_EXTRA_FLAGS='-D_FORTIFY_SOURCE=0 -Werror'
+    '';
+  };
+
+} // (let
+  tb = f2exampleWithStdEnv stdenv {
+    hardeningDisable = [ "all" ];
+    hardeningEnable = [ "fortify" "pie" ];
+  };
+in {
+
+  allExplicitDisabledBindNow = checkTestBin tb {
+    ignoreBindNow = false;
+    expectFailure = true;
+  };
+
+  allExplicitDisabledFortify = checkTestBin tb {
+    ignoreFortify = false;
+    expectFailure = true;
+  };
+
+  allExplicitDisabledPie = brokenIf (
+    stdenv.hostPlatform.isMusl && stdenv.cc.isClang
+  ) (checkTestBin tb {
+    ignorePie = false;
+    expectFailure = true;
+  });
+
+  # can't force-disable ("partial"?) relro
+  allExplicitDisabledRelRO = brokenIf true (checkTestBin tb {
+    ignoreRelRO = false;
+    expectFailure = true;
+  });
+
+  allExplicitDisabledStackProtector = checkTestBin tb {
+    ignoreStackProtector = false;
+    expectFailure = true;
+  };
+}))
diff --git a/nixpkgs/pkgs/test/default.nix b/nixpkgs/pkgs/test/default.nix
index d6fd75359fc4..b914ec26ae00 100644
--- a/nixpkgs/pkgs/test/default.nix
+++ b/nixpkgs/pkgs/test/default.nix
@@ -3,26 +3,95 @@
 with pkgs;
 
 {
-  cc-wrapper = callPackage ./cc-wrapper { };
-  cc-wrapper-gcc = callPackage ./cc-wrapper { stdenv = gccStdenv; };
-  cc-wrapper-gcc7 = callPackage ./cc-wrapper { stdenv = gcc7Stdenv; };
-  cc-wrapper-gcc8 = callPackage ./cc-wrapper { stdenv = gcc8Stdenv; };
-  cc-wrapper-gcc9 = callPackage ./cc-wrapper { stdenv = gcc9Stdenv; };
-  cc-wrapper-clang = callPackage ./cc-wrapper { stdenv = llvmPackages.stdenv; };
-  cc-wrapper-libcxx = callPackage ./cc-wrapper { stdenv = llvmPackages.libcxxStdenv; };
-  cc-wrapper-clang-5 = callPackage ./cc-wrapper { stdenv = llvmPackages_5.stdenv; };
-  cc-wrapper-libcxx-5 = callPackage ./cc-wrapper { stdenv = llvmPackages_5.libcxxStdenv; };
-  cc-wrapper-clang-6 = callPackage ./cc-wrapper { stdenv = llvmPackages_6.stdenv; };
-  cc-wrapper-libcxx-6 = callPackage ./cc-wrapper { stdenv = llvmPackages_6.libcxxStdenv; };
-  cc-wrapper-clang-7 = callPackage ./cc-wrapper { stdenv = llvmPackages_7.stdenv; };
-  cc-wrapper-libcxx-7 = callPackage ./cc-wrapper { stdenv = llvmPackages_7.libcxxStdenv; };
-  cc-wrapper-clang-8 = callPackage ./cc-wrapper { stdenv = llvmPackages_8.stdenv; };
-  cc-wrapper-libcxx-8 = callPackage ./cc-wrapper { stdenv = llvmPackages_8.libcxxStdenv; };
-  cc-wrapper-clang-9 = callPackage ./cc-wrapper { stdenv = llvmPackages_9.stdenv; };
-  cc-wrapper-libcxx-9 = callPackage ./cc-wrapper { stdenv = llvmPackages_9.libcxxStdenv; };
+  cc-wrapper = with builtins; let
+    pkgNames = (attrNames pkgs);
+    llvmTests = let
+      pkgSets = lib.pipe pkgNames [
+        (filter (lib.hasPrefix "llvmPackages"))
+        (filter (n: n != "llvmPackages_rocm"))
+        (filter (n: n != "llvmPackages_latest"))
+        (filter (n: n != "llvmPackages_git"))
+      ];
+      tests = lib.genAttrs pkgSets (name: recurseIntoAttrs {
+        clang = callPackage ./cc-wrapper { stdenv = pkgs.${name}.stdenv; };
+        libcxx = callPackage ./cc-wrapper { stdenv = pkgs.${name}.libcxxStdenv; };
+      });
+    in
+      tests;
+    gccTests = let
+      pkgSets = lib.pipe (attrNames pkgs) ([
+        (filter (lib.hasPrefix "gcc"))
+        (filter (lib.hasSuffix "Stdenv"))
+        (filter (n: n != "gccCrossLibcStdenv"))
+      ] ++ lib.optionals (!(
+        (stdenv.buildPlatform.isLinux && stdenv.buildPlatform.isx86_64) &&
+        (stdenv.hostPlatform.isLinux && stdenv.hostPlatform.isx86_64)
+      )) [
+        (filter (n: !lib.hasSuffix "MultiStdenv" n))
+      ]);
+    in lib.genAttrs pkgSets (name: callPackage ./cc-wrapper { stdenv = pkgs.${name}; });
+  in recurseIntoAttrs {
+    default = callPackage ./cc-wrapper { };
+
+    supported = stdenv.mkDerivation {
+      name = "cc-wrapper-supported";
+      builtGCC =
+        let
+          names = lib.pipe (attrNames gccTests) ([
+            (filter (n: lib.meta.availableOn stdenv.hostPlatform pkgs.${n}.cc))
+            # Broken
+            (filter (n: n != "gcc49Stdenv"))
+            (filter (n: n != "gccMultiStdenv"))
+          ] ++ lib.optionals (stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isAarch64) [
+            # fails with things like
+            # ld: warning: ld: warning: object file (trunctfsf2_s.o) was built for newer macOS version (11.0) than being linked (10.5)
+            # ld: warning: ld: warning: could not create compact unwind for ___fixunstfdi: register 20 saved somewhere other than in frame
+            (filter (n: n != "gcc11Stdenv"))
+          ]);
+        in
+        toJSON (lib.genAttrs names (name: { name = pkgs.${name};  }));
+
+      builtLLVM =
+        let
+          names = lib.pipe (attrNames llvmTests) ([
+            (filter (n: lib.meta.availableOn stdenv.hostPlatform pkgs.${n}.stdenv.cc))
+            (filter (n: lib.meta.availableOn stdenv.hostPlatform pkgs.${n}.libcxxStdenv.cc))
+
+            # libcxxStdenv broken
+            # fix in https://github.com/NixOS/nixpkgs/pull/216273
+          ] ++ lib.optionals (stdenv.hostPlatform.isLinux && stdenv.hostPlatform.isAarch64) [
+            # libcxx does not build for some reason on aarch64-linux
+            (filter (n: n != "llvmPackages_7"))
+          ] ++ lib.optionals (stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isAarch64) [
+            (filter (n: n != "llvmPackages_5"))
+            (filter (n: n != "llvmPackages_6"))
+            (filter (n: n != "llvmPackages_7"))
+            (filter (n: n != "llvmPackages_8"))
+            (filter (n: n != "llvmPackages_9"))
+            (filter (n: n != "llvmPackages_10"))
+          ]);
+        in
+        toJSON (lib.genAttrs names (name: { stdenv = pkgs.${name}.stdenv; libcxx = pkgs.${name}.libcxxStdenv;  }));
+        buildCommand = ''
+          touch $out
+        '';
+    };
+
+    llvmTests = recurseIntoAttrs llvmTests;
+    inherit gccTests;
+  };
+
   stdenv-inputs = callPackage ./stdenv-inputs { };
   stdenv = callPackage ./stdenv { };
 
+  hardeningFlags = recurseIntoAttrs (callPackage ./cc-wrapper/hardening.nix {});
+  hardeningFlags-gcc = recurseIntoAttrs (callPackage ./cc-wrapper/hardening.nix {
+    stdenv = gccStdenv;
+  });
+  hardeningFlags-clang = recurseIntoAttrs (callPackage ./cc-wrapper/hardening.nix {
+    stdenv = llvmPackages.stdenv;
+  });
+
   config = callPackage ./config.nix { };
 
   haskell = callPackage ./haskell { };
diff --git a/nixpkgs/pkgs/test/nixpkgs-check-by-name/README.md b/nixpkgs/pkgs/test/nixpkgs-check-by-name/README.md
index 754d0a2090df..4dd694acd2f0 100644
--- a/nixpkgs/pkgs/test/nixpkgs-check-by-name/README.md
+++ b/nixpkgs/pkgs/test/nixpkgs-check-by-name/README.md
@@ -1,11 +1,12 @@
 # Nixpkgs pkgs/by-name checker
 
 This directory implements a program to check the [validity](#validity-checks) of the `pkgs/by-name` Nixpkgs directory once introduced.
+It is being used by [this GitHub Actions workflow](../../../.github/workflows/check-by-name.yml).
 This is part of the implementation of [RFC 140](https://github.com/NixOS/rfcs/pull/140).
 
 ## API
 
-This API may be changed over time if the CI making use of it is adjusted to deal with the change appropriately, see [Hydra builds](#hydra-builds).
+This API may be changed over time if the CI workflow making use of it is adjusted to deal with the change appropriately.
 
 - Command line: `nixpkgs-check-by-name <NIXPKGS>`
 - Arguments:
diff --git a/nixpkgs/pkgs/test/texlive/default.nix b/nixpkgs/pkgs/test/texlive/default.nix
index e2c714100f90..12c42444f183 100644
--- a/nixpkgs/pkgs/test/texlive/default.nix
+++ b/nixpkgs/pkgs/test/texlive/default.nix
@@ -373,7 +373,7 @@ rec {
       # (1) binaries requiring --help or -h
       help = [ "arlatex" "bundledoc" "cachepic" "checklistings" "dvipos" "extractres" "fig4latex" "fragmaster"
         "kpsewhere" "latex-git-log" "ltxfileinfo" "mendex" "perltex" "pn2pdf" "psbook" "psnup" "psresize" "purifyeps"
-        "simpdftex" "tex2xindy" "texluac" "texluajitc" "urlbst" "yplan" ];
+        "simpdftex" "tex2xindy" "texluac" "texluajitc" "upmendex" "urlbst" "yplan" ];
       shortHelp = [ "adhocfilelist" "authorindex" "bbl2bib" "bibdoiadd" "bibmradd" "biburl2doi" "bibzbladd" "ctanupload"
         "disdvi" "dvibook" "dviconcat" "getmapdl" "latex2man" "listings-ext.sh" "pygmentex" ];
       # (2) binaries that return non-zero exit code even if correctly asked for help